Connect with us

Publications

How to Build a Serverless Full-stack Application Using Git, Google Drive, and Public CI/CD Runners?

Avatar

Published

on

Ederson Brilhante Hacker Noon profile picture

@edersonbrilhanteEderson Brilhante

Senior Software Engineer with 11 years of professional experience working in large internet companies.

TL;DR – How I built the Vilicus Service, a serverless full-stack application with backend workers and database only using git and CI/CD runners.

What is Vilicus?

Vilicus is an open-source tool that orchestrates security scans of container images (Docker/OCI) and centralizes all results into a database for further analysis and metrics.

Vilicus provides many alternatives to use it:

This article explains how it was possible to build the Free Online Service without using a traditional deployment.

Architecture

The frontend is hosted in GitHub Pages. This frontend is a landing page with a free service to scan or display the vulnerabilities in container images.

The results of container image scans are stored in a GitLab Repository.

When the user asks to show the results from an image, the frontend consumes the GitLab API to retrieve the file with vulns from this image. In case this image is not scanned yet, the user has the option to schedule a scan using a google form.

When this form is filled, the data is sent to a Google Spreadsheet.

A GitHub Workflow runs every 5 minutes to check if there are new answers in this Spreadsheet. For each new image in the Spreadsheet, this workflow triggers another Workflow to scan the image and save the result in the GitLab Repository.

Why store in GitLab? GitLab provides bigger limits. Here’s a summary of differences in offering on public cloud and free tier:

 =========== ============ ==================== ============================= =====================================  Free users Max repo size (GB) Max file size (MB) Max API calls per hour (per client)  =========== ============ ==================== ============================= ===================================== GitHub 3 2 100 5000 BitBucket 5 1 Unlimited (up to repo size) 5000 GitLab Unlimited 10 Unlimited (up to repo size) 36000 =========== ============ ==================== ============================= ===================================== 

Google Drive

This choice was a “quick win”. In a usual deployment, the backend could call an API passing secrets without the clients knowing the secrets.

But because I am using GitHub Pages I cannot use that (Well, I could do it in the javascript, but anyone using the Browser Inspect would see the secrets. So let’s don’t do it 😉).

This makes the Google Spreadsheet perform as a Queue.

Google Form:

Google Spreadsheet with answers:

GitHub Workflows

The Schedule Workflow runs at most every 5 minutes. This workflow executes the python script that checks if there are new rows in the Google Spreadsheet, and for each row is made an HTTP request to trigger the event repository_dispatch.

This makes the workflows perform as backend workers.

Schedule in the workflow:

name: Schedule
on:
 schedule:
 - cron: '*/5 * * * *'
...

Event repository_dispatch in WorkFlow:

name: Report
on: [repository_dispatch]
...

Screenshots

Schedule History:

Schedule WorkFlow:

Scans History:

Report Workflow:

Scan Report stored in GitLab:

Source Code:

Do you want to know more about GitHub Actions?

Github Pages

The Frontend is running in GitHub Pages.

By default, an application running in GH Pages is hosted as

http://<github-user>.github.io/<repository>

.

But GitHub allows you to customize the domain, because that it’s possible to access Vilicus using

https://vilicus.edersonbrilhante.com.br

instead of 

http://edersonbrilhante.github.io/vilicus

.

GitHub Workflow to build the application and deploy it in GH Pages

Building the source code:

- name: Build
 run: | cd website npm install npm run-script build
 env:
 REACT_APP_GA_CODE: ${{ secrets.REACT_APP_GA_CODE }}
 REACT_APP_FORM_SCAN: ${{ secrets.REACT_APP_FORM_SCAN }}

Deploying the build:

- name: Deploy
 uses: JamesIves/github-pages-deploy-action@releases/v3
 with:
 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 BRANCH: gh-pages
 FOLDER: website/build

Source Code:

Do you want to know more about GitHub Pages?

That’s it!

In case you have any questions, please ping me on LinkedIn.

Also published at https://dev.to/edersonbrilhante/a-serverless-full-stack-application-using-only-git-google-drive-and-public-ci-cd-runners-262l

Ederson Brilhante Hacker Noon profile picture

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://hackernoon.com/how-to-build-a-serverless-full-stack-application-using-git-google-drive-and-public-cicd-runners-b56l34df?source=rss

ZDNET

US pipeline ransomware attack serves as fair warning to persistent corporate inertia over security

Avatar

Published

on

Organisations that continue to disregard the need to ensure they have adopted basic cybersecurity hygiene practices should be taken to task. This will be critical, especially as cybercriminals turn their attention to sectors where cyber threats can result in real-world risks, as demonstrated in the US Colonial Pipeline attack. 

In many of my conversations with cybersecurity experts, there is a shared sense of frustration that businesses still are failing to get some of the most basic things right. Default passwords are left unchanged, frontline staff and employees are still falling for common scams and phishing attacks, and major businesses think nothing of using technology that are decades old

Just this month, UOB Bank revealed an employee had fallen prey to a China police impersonation scam that compromised the personal data of 1,166 customers, including their mobile number and account balance. This specific impersonation use case had been flagged as a common scam tactic and even featured in a crime prevention TV programme months before. That an employee of a major bank still could have fallen for it is shocking. 

It begs the question whether its frontline staff or any employee with access to customer data has been adequately trained as well as regularly updated on how they should deal with potential cyber threats. 

Should such inertia continue to fester, there’s real cause for concern ahead especially as cyber attackers turn their attention towards operational technology (OT) sectors, such as power, water, and transport. As it is, businesses seem ill-prepared to cope with the growing threat. 

Consider the stats. Some 68% of businesses in Asia-Pacific were breached last year, up from 32% in 2019, and 17% had to deal with more than 50 cyber attacks or errors a week. And they took way too long to pick themselves up after an attack, with an average of 60.83% needing more than a week to remediate the attacks, citing lack of funds and skillsets as their key challenges. 

in Singapore, 28% had been breached in the past year, with almost 15% having to deal with at least 50 attempted cyber attacks a week. Some 33% described the resulting data loss as very serious or serious. 

Things will only get worse as businesses in the region and around the world rush to adopt tools that facilitate remote work, leaving their networks vulnerable to attacks. As it is, 54.7% viewed enabling and managing remote workforces a top ICT challenge and another 49.7% felt likewise about securing remote workers. 

As online adoption grows, supply chains will widen as businesses rush to cope with the spike in transactions. This means attack surfaces, too, will expand and it is crucial that enterprises get the fundamentals right to better mitigate potential security risks. 

When cyber risks become physical threats

And in the case of the Colonial Pipeline, the risks can be severe. 

The privately-held pipeline operator supplies 45% of the East Coast’s fuel, including gasoline, diesel, jet fuel, home-heating oil, and fuel for the US military. It transports more than 100 million gallons of fuel a day across an area that spans Texas to New York.

The cyber attack forced the company to temporarily shut its operations and freeze IT systems to contain the infection. It triggered supply shortage concerns and pushed gasoline futures to their highest level in three years. It also prompted the US Department of Transportation to invoke emergency powers to make it easier to transport fuel by road.

Colonial Pipeline reportedly paid the ransomware group responsible for the attack $5 million to decrypt locked systems.

That it paid up shouldn’t come as a surprise, since a majority of businesses in Asia-Pacific also choose to pay up after falling victim to ransomware attacks. These include 88% in Australia and 78% in Singapore that have forked out the ransom in full or in part. 

Global pandemic opening up can of security worms

Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

Read More

On its part, Singapore has recognised the risks cybersecurity attacks pose to its critical infrastructures. Early this month, it created a cybersecurity expert panel focused on OT, with the first meeting slated to take place in September. The move comes months after the country last October unveiled a new cybersecurity blueprint that looked to safeguard its core digital infrastructure. 

In particular, the government pointed to OT systems, where a successful attack can manifest as a severe disruption in the physical world. Such systems, including those in the energy, water, and transport sectors, are critical for delivering essential services and supporting the economy. 

In forming the OT expert panel, Singapore’s Cyber Security Agency Chief Executive David Koh said: “While OT systems were traditionally separated from the internet, increasing digitalisation has led to more IT and OT integration. Hence, it is crucial for OT systems to be better protected from cyber threats to prevent outages of critical services that could result in serious real-world consequences.”

The ransomware attack against the Colonial Pipeline has clearly demonstrated that the consequences are real and, no doubt, more are coming our way. 

That Singapore has put strong focus on OT is a positive step forward. And it is hoping the expert panel will provide some guidance on a range of issues, including governance policies, OT technologies, supply chain, threat intelligent information sharing, and incident response. 

However, with most of the industry still stuck in apparent inertia, firmer action is necessary to ensure businesses across all sectors, including OT, do not slip up. 

This should encompass even the simplest and most basic rules, such as outlawing the use of software that is more than 15 years old or mandating that all employees–including senior management–chalk up minimum training hours a year on cybersecurity threat management. 

In addition, all organisations that have encountered a security incident should be required to detail how their systems were breached. An abridged version of the attack, excluding specifics that can further compromise the company’s security, also should publicly released. 

It should no longer be sufficient for any company to simply say the attack was “sophisticated” without giving any other information to justify that description. 

In the Colonial Pipeline case, details have been slow to trickle out, with the US government yet to receive any information from the oil pipeline operator. The Biden administration had expressed frustration over what they perceived to be weak security protocols on Colonial Pipeline’s part as well as well a lack of readiness to deal with cyberattacks.

It is clearly time for all organisations, not just those in Asia, to get a grip. Because if they don’t, they won’t just be losing millions in ransom payments, actual physical lives will be at risk. Transport and healthcare operators, in particular, should take heed. 

And with cybercriminals increasingly skilled in their craft, future attacks will indeed be so complex it will put to shame use of the word “sophisticated” that appears in almost every statement companies currently make to describe they breach they suffered.

Be better. Because when it comes to cybersecurity, that is what many businesses have yet to be.

RELATED COVERAGE

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.zdnet.com/article/us-pipeline-ransomware-attack-serves-as-fair-warning-to-persistent-corporate-inertia-over-security/#ftag=RSSbaffb68

Continue Reading

ZDNET

ASD knows who attacked the APH email system but isn’t revealing who

Avatar

Published

on

parliament-house-canberra.jpg
Image: Getty Images

The Australian Cyber Security Centre (ACSC), and the overseeing Australian Signals Directorate (ASD), know who attacked the email system of the Australian Parliament House, but they are not saying who it is.

“Attribution is a matter for government, and is made only when in the national interest,” it said in response to Senate Estimates Questions on Notice.

Many of the questions were passed off onto the Department of Parliamentary Service (DPS), which revealed earlier this week that it had pulled down and replaced its mobile device management (MDM) system as a result of the attack.

“The attack did not cause an outage of the DPS systems. DPS shut down the MDM system. This action was taken to protect system security while investigation and remediation were undertaken,” DPS said.

“To restore services, DPS brought forward the rollout of an advanced mobile services solution that replaced the legacy MDM. The new solution provides greater security and functionality for mobile devices. This rollout was a complex activity and extended the outage experienced by users.”

The legacy MDM system remains in use in a limited capacity.

One tidbit ASD did part with was agreeing that the attacker was unsophisticated and that the ACSC was involved in “searching for any potential implants” in the APH Exchange server.

An unsophisticated attack would have had a higher than expected chance of succeeding, thanks to the lack of 2FA.

“Before users came back on line after this incident, they were asked to implement new security controls to access APH emails via mobile handsets — namely multi-factor authentication,” Senator Kimberley Kitching said in a question.

“In the course of providing cybersecurity advice and assistance to DPS following the incident, the ACSC provided broad advice on security controls,” the ASD said.

ASD said there was no “specific threat” that led to the introduction of 2FA, and instead pointed to its Essential Eight advice first published in 2017.

DPS said earlier this week it had seen no evidence of any email accounts being compromised due to the attack, and the attack had nothing to do with recent Exchange vulnerabilities.

In another answer, ASD said no code review has been completed on the systems of the Australian Electoral Commission, but it has “conducted a vulnerability assessment and partnered with the AEC to conduct multiple uplift activities on the AEC network.”

Related Coverage

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.zdnet.com/article/asd-knows-who-attacked-the-aph-email-system-but-isnt-revealing-who/#ftag=RSSbaffb68

Continue Reading

ZDNET

Labor pitches ‘startup year’ as key to Australia’s future

Avatar

Published

on

anthony-albanese.jpg
Image: Getty Images

Opposition leader Anthony Albanese has outlined his plan for Australia should Labor be successful at the next federal election, one that’s centred on things the Coalition missed in its 2021-22 Budget.

“We have a once in a century opportunity to reinvent our economy, to lift wages and make sure they keep rising, to invest in advanced manufacturing and in skills and training with public TAFE at its heart, to provide affordable childcare, to fix aged care, to address the housing crisis, to champion equality for women, and to emerge as a renewable energy superpower,” he declared in his Budget reply speech, delivered Thursday night.

“That’s the better future I want to build for Australia as Prime Minister.”

A centrepiece of Albanese’s plan is a “startup year”.

“Australia has always produced scientific innovations, but we always haven’t been good at commercialising them,” he continued, listing the black box, Google Maps, the Cochlear implant as some examples.

He said a lot of what Australia uncovers via research gets converted into manufacturing jobs overseas.
 
“And if we don’t get smart, if we don’t get serious, if we don’t get moving — the same thing is going to happen again,” he said.

The startup year, Albanese declared, is a program to “help drive innovation and increase links between universities and entrepreneurs”.

The program will allow final year university students, or recent graduates, to learn from experts about how to transform their ideas and research into products and services that Australia can sell to the world.
 
The students would do their training at established “accelerators” or “incubators”.

Startup loans will be offered to students and new graduates with ventures attached to the tertiary institution or designated private accelerator. Albanese believes this will assist in the identification of opportunities for commercialisation of university research.

Startup year will train up to 2,000 students per year and will be supported by HELP/HECS loans, up to a maximum of AU$11,300.

The loans can go towards paying for things such as training, equipment, or building prototypes.

Expanding further on this plan, Shadow Minister for Industry and Innovation Ed Husic said Labor wants to send a signal to young Australians that it “backs them and their ideas to build new firms and new jobs”.

“We want to do that through the range of university accelerators that exist across the country. We want to work with the university sector and others in the innovation space to determine how we do that selection process. And the big thing for us is to build that momentum, build that interest in starting new firms. Because really, what we need to see in this country apart from current firms getting bigger and stronger, we need to see an influx of new firms coming in with new ideas to improve the way the economy works,” he said.

This requires, however, talented people on the ground to do the work that will support startups and encourage their growth, Husic declared.

“If you’ve had a federal government that continually cuts or fails to support the university sector can’t get its act together on commercialising the research and ideas coming out of universities is cutting TAFE and is dragging the chain on innovation, this is a real problem,” he continued.

On Tuesday night, the government unveiled a “patent box” to drive research in medical and biotech technologies, and a National Centre of AI Excellence. Husic said the first was taken from similar overseas initiatives and the second was stolen from his party.

Australian Budget 2021

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.zdnet.com/article/labor-pitches-startup-year-as-key-to-australias-future/#ftag=RSSbaffb68

Continue Reading

Publications

Going Remote: Minimum Viable Workspace

Avatar

Published

on

Anthony Hacker Noon profile picture

@desklampAnthony

Internet Human. Software Engineer.

Throughout 2020 and 2021 the mode of working changed for many people. There was less office time, moving away from big cities, and more time spent working in an unconventional spot, like on your couch or a closet so you could get someplace quite for a few minutes. As a long-time work from home employee my work changed as well, which lead me to question exactly what I needed from my work setup.

How It Was

When I first started working from home, years ago, I assumed my home workspace basically had to be a home office. This wasn’t practical in NYC, SF, or other cities, but I did it anyway. I had a big L-shaped desk, a secondary monitor, a vertical monitor, a powerful workstation, and a mechanical keyboard. My office had a printer, a stapler, stereo speakers, and all the other accessories that make a place feel professional. I even had a VoIP phone at one time, so I would never drop calls thanks to spotty mobile phone service.

A lot has changed in the past 10 years.

2022 WFH Life

Last year lots of us started working from home, and I already had my setup, but, like everyone else, more people were in my home as well. My spouse needed a spot to work, my kids were doing online school and needed work places — the days of the dedicated home office were over. Now I, like many others, settled into an itinerant WFH experience — spending a few hours at the standing desk, a few on the couch, 30 minutes in a walk-in closet to do a presentation…

This got me thinking about what was needed from a workspace.

Under 30 Minutes

If I’m working for a time slot of under 30 minutes, I find it can be anywhere. Sitting up in a bed, sitting on a couch, standing at the kitchen counter, it doesn’t matter. If I have my laptop and a WiFi connection, I’m good to go.

1 Hour

If you are working for a 1-hour slot, almost any place will do. You can be sitting or standing (providing the standing place is sufficiently high) and the place needs to be away from foot trafffic, but I find nothing else is necessary.

1-3 Hours

For a 1-3 hours stretch of working, I need a everything mentioned previously, plus seating, an outlet for charging, a place to put a glass of water or a cup of coffee.

3-5 Hours

This is a serious stretch of time. If I’m carving out this much time to work, I’ll likely need what’s mentioned above, plus a phone charger, a quiet enough spot to take a Zoom meeting, enough space to write down some notes on paper, and the place can’t be too clean (like a bed) because I’m going to eat at some point.

5+ Hours

I rarely find that I work 5+ hour stretches any longer and I’d recommend not doing so if this is a normal thing for you. Breaking up your work with a walk, some exercise, some unrelated reading, a light nap, or almost anything, will mean greater productivity when you start up again.

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://hackernoon.com/going-remote-minimum-viable-workspace-m51634n2?source=rss

Continue Reading
Aviation5 days ago

JetBlue Hits Back At Eastern Airlines On Ecuador Flights

Blockchain5 days ago

“Privacy is a ‘Privilege’ that Users Ought to Cherish”: Elena Nadoliksi

AI2 days ago

Build a cognitive search and a health knowledge graph using AWS AI services

Energy3 days ago

ONE Gas to Participate in American Gas Association Financial Forum

Blockchain1 day ago

Shiba Inu: Know How to Buy the New Dogecoin Rival

SaaS5 days ago

Blockchain2 days ago

Meme Coins Craze Attracting Money Behind Fall of Bitcoin

Blockchain4 days ago

Yieldly announces IDO

SaaS5 days ago

Esports3 days ago

Pokémon Go Special Weekend announced, features global partners like Verizon, 7-Eleven Mexico, and Yoshinoya

Blockchain5 days ago

Opimas estimates that over US$190 billion worth of Bitcoin is currently at risk due to subpar safekeeping

Fintech3 days ago

Credit Karma Launches Instant Karma Rewards

Esports2 days ago

Valve launches Supporters Clubs, allows fans to directly support Dota Pro Circuit teams

Blockchain2 days ago

Sentiment Flippening: Why This Bitcoin Expert Doesn’t Own Ethereum

Esports1 day ago

‘Destroy Sandcastles’ in Fortnite Locations Explained

SaaS5 days ago

Esports3 days ago

How to download PUBG Mobile’s patch 1.4 update

Business Insider3 days ago

Bella Aurora launches its first treatment for white patches on the skin

Esports4 days ago

5 Best Mid Laners in League of Legends Patch 11.10

Cyber Security4 days ago

Top Tips On Why And How To Get A Cyber Security Degree ?

Trending